Cyrus IMAPd 2.2.13p1 & 2.3.15 Released

Duncan Gibb duncan.gibb at
Wed Sep 9 12:35:55 EDT 2009

Thomas Jarosch wrote:

KM> I'd like to announce the releases of Cyrus IMAPd 2.2.13p1 and 2.3.15.
KM> These releases should both be considered production quality.  These
KM> releases are being made at this time to fix the potential buffer
KM> overflow vulnerability described in CERT VU#336053:

TJ> Regarding the buffer overflow: The cert website currently outputs a
TJ> "Lotus Notes exception". Is the overflow theoretically exploitable
TJ> via a malicious email or does a user need to upload a malicious
TJ> sieve script?

Hmmm...  Still down...

The user has to upload a malicious sieve script.  The DSA reads

  It was discovered that the SIEVE component of cyrus-imapd, a
  highly scalable enterprise mail system, is vulnerable to a
  buffer overflow when processing SIEVE scripts. Due to incorrect
  use of the sizeof() operator an attacker is able to pass a
  negative length to snprintf() calls resulting in large positive
  values due to integer conversion. This causes a buffer overflow
  which can be used to elevate privileges to the cyrus system
  user. An attacker who is able to install SIEVE scripts executed
  by the server is therefore able to read and modify arbitrary
  email messages on the system.

Bron's fix is at;r2=1.68



Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom || t: +44 870 608 0063
Debian Cyrus Team -

More information about the Cyrus-devel mailing list